# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.

## GitLab CI

<% if @https && @redirect_http_to_https %>
server {
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
<% end %>
  server_name <%= @fqdn %>;
  server_tokens off;
  rewrite ^(.*) https://<%= @fqdn %>:<%= @port %>$1 permanent;
  access_log  <%= @log_directory %>/gitlab_ci_access.log gitlab_ci_access;
  error_log   <%= @log_directory %>/gitlab_ci_error.log;
}
<% end %>

server {
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% end %>;
<% end %>
  server_name <%= @fqdn %>;
  server_tokens off;     # don't show the version number, a security best practice

  <% if @https %>
  ssl on;
  ssl_certificate <%= @ssl_certificate %>;
  ssl_certificate_key <%= @ssl_certificate_key %>;
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
   <% end %>
  ssl_ciphers '<%= @ssl_ciphers %>';
  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
  ssl_protocols  <%= @ssl_protocols %>;
  ssl_session_cache  <%= @ssl_session_cache %>;
  ssl_session_timeout  <%= @ssl_session_timeout %>;
  <% if @ssl_dhparam %>
  ssl_dhparam <%= @ssl_dhparam %>;
  <% end %>
  <% end %>

  ## Individual nginx logs for this GitLab CI vhost
  access_log  <%= @log_directory %>/gitlab_ci_access.log gitlab_ci_access;
  error_log   <%= @log_directory %>/gitlab_ci_error.log;

  # expose API to fix runners
  location /api {
    proxy_read_timeout      <%= @proxy_read_timeout %>;
    proxy_connect_timeout   <%= @proxy_connect_timeout %>;
    proxy_redirect          off;
    proxy_set_header      X-Real-IP $remote_addr;

    # You need to specify your DNS servers that are able to resolve YOUR_GITLAB_SERVER_FQDN
    resolver <%= @resolver %>;
    proxy_pass  <%= @https ? "https" : "http" %>://<%= @gitlab_fqdn %>/ci$request_uri;
  }

  # expose build endpoint to allow trigger builds
  location ~ ^/projects/\d+/build$ {
    proxy_read_timeout      <%= @proxy_read_timeout %>;
    proxy_connect_timeout   <%= @proxy_connect_timeout %>;
    proxy_redirect          off;
    proxy_set_header      X-Real-IP $remote_addr;

    # You need to specify your DNS servers that are able to resolve YOUR_GITLAB_SERVER_FQDN
    resolver <%= @resolver %>;
    proxy_pass  <%= @https ? "https" : "http" %>://<%= @gitlab_fqdn %>/ci$request_uri;
  }

  # redirect all other CI requests
  location / {
    return 301 <%= @https ? "https" : "http" %>://<%= @gitlab_fqdn %>/ci$request_uri;
  }

  # adjust this to match the largest build log your runners might submit,
  # set to 0 to disable limit
  client_max_body_size <%= @client_max_body_size %>;

  <%= @custom_gitlab_ci_server_config %>
}
